Pass -test-output-root and -test-allowlist to validation-gen so the
per-Kind coverage fixtures regenerate alongside the validators. Add the
allowlist YAML at test/declarative_validation/coverage-allowlist.yaml.
The local-up-cluster.sh script was used as proxy for controlling the etcd
lifecycle because the script was using a helper function that didn't support
dry-run mode. That approach was flawed in several ways, causing etcd to be left
running:
- Cmd.Stop wasn't actually called for the script by Cluster.Stop.
- If it had been called, the additional output during shutdown wouldn't
have been processed, which might have caused the command to block instead
of terminating (untested).
- It's unclear whether the script would have handled the signal properly.
A cleaner approach is to enable dry-run mode also in etcd .sh and then let
Cluster manage it like any other long-running process. Then we can let
local-up-cluster.sh terminate when it's done with its work. Cluster.Start can
check it's result immediately.
The new kube-openapi revision (v0.0.0-20260502001324-b7f5293f4787) no
longer pulls in github.com/mailru/easyjson, so remove it from the
status.unwantedReferences list to keep verify-vendor.sh green.
Moving the code made it impossible to import pkg/kubelet/metrics.
But all that the test needs is the subsystem name, so importing
the package can be avoided.
The logtools linter broke a while ago when moving to more recent Go and/or more
recent dependencies such that it stopped reporting certain issues. This was
only noticed much later when a broken log call was found in the code base which
should have been flagged as wrong by the linter.
It is possible to run upstream Go unit tests in a downstream project. This is
now done for logtools if (and only if) no explicit test targets are
selected. Because hack/tools is not part of the workspace, this only works
after changing directories. gotestsum gets invoked once for the root and this
additional directory with different result files and set of test targets.
We could add more upstream tests. etcd tests were mentioned as something where
that would be useful. However, right now upstream etcd tests have some
dependencies on being run inside the original source tree, so that would have
to be fixed first. For now only single etcd client package gets tests as
a proof-of-concept of the new support for testing vendored upstream packages.
For those, -mod=readonly is needed to avoid:
$ go test go.etcd.io/etcd/client/pkg/v3/fileutil
? go.etcd.io/etcd/client/pkg/v3/fileutil [no test files]
Bump go-openapi dependencies to latest versions:
- github.com/go-openapi/jsonpointer v0.21.0 → v0.22.4
- github.com/go-openapi/jsonreference v0.20.2 → v0.21.4
- github.com/go-openapi/swag v0.23.0 → v0.25.4
The new swag version has been restructured into a multi-module monorepo
with submodules (cmdutils, conv, fileutils, jsonname, jsonutils, loading,
mangling, netutils, stringutils, typeutils, yamlutils). As a result:
- mailru/easyjson and josharian/intern are no longer transitive deps
and have been removed from vendor
- go-openapi/jsonpointer and go-openapi/swag no longer reference
unwanted deps davecgh/go-spew, mailru/easyjson, or gopkg.in/yaml.v3
- Updated hack/unwanted-dependencies.json accordingly
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Fixes CVE-2026-33814 (golang/go#78476): HTTP/2 Transport hangs
indefinitely when a peer sends a SETTINGS frame with MaxFrameSize=0.
This is reachable from kube-apiserver's OIDC, admission webhook,
and aggregated API client paths.
Convert pod_container_deletor.go to contextual logging without
changing its detached worker lifecycle.
Pass the caller logger into pod container cleanup paths, use a
logger-bound background context for DeleteContainer, update the
unit tests to use ktesting loggers, and remove the remaining
logcheck carve-out for pod_container_deletor.go.
Bump cel-go to v0.27.0 to pick up the fix for context cancellation
error reporting that's breaking CI (see #138334).
Changes worth noting:
- cel-go switched from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3,
so removed it from the gopkg.in/yaml.v3 unwanted references
- Dropped transitive dep github.com/stoewer/go-strcase
- Updated transitive dep github.com/antlr4-go/antlr/v4
- Pinned cel-go at v0.27.0 in hack/unwanted-dependencies.json
Kubernetes-commit: <drop>
The latest pause version is 3.10.2 but due to the introduction
of the PATCH level version to the pause image (previously was
only MAJOR.MINOR), various files have remained on an older
version. Either 3.10 or 3.10.1. Our validation with
build/dependencies.yaml ./hack/verify-external-dependencies.sh
did not account for that.
